CN100456240C - Applying custom software image updates to non-volatile storage in a failsafe manner - Google Patents

Abstract

Described is a system and method in which software updates in the form of self-contained, secure entities are applied to an embedded device's non-volatile storage in a failsafe manner. Various types of software updates may be applied, and updates may contain executable code and/or data. Following a reboot, an initial program loader determines an update mode, and if updating, boots to a special update loader. The update loader processes update packages to apply the updates. Kernel partition, system partition and reserve section updates may be updated with entire files or binary difference files, with failure handling mechanisms are provided for each type of update. Updates may be simulated before committing them. Updates may be relocated in memory as appropriate for a device.

Description

In the fault secure mode to the nonvolatile memory applying custom software image updates

The reference of related application

The present invention requires the right of priority of the U.S. Provisional Patent Application sequence number 60/530,184 of submission on Dec 16th, 2003, and this application integral body is incorporated into this.

The present invention relates to following U.S. Patent application, they are submitted to the present invention and integral body is incorporated into this:

Summary number 4281/307,650, " determining to upgrade collection (Determingthe Maximal Set of Dependent Software Updates Valid for Installation) " to effective maximum depended software is installed;

Summary number 4291/307,651, " guaranteeing only installation or operation (Ensuring that a Software Update may be Installed or Run only on a Specific Deviceor Class of Devices) on specific equipment or equipment class of software upgrading ";

Summary number 4301/307,652, " self-describing software image update components (Self-Describing SoftwareImage Update Components) " and

Summary number 4311/307,663, " in file, creating file system (CreatingFile Systems Within a File In a Storage Technology-Abstracted Manner) " in the abstract mode of memory technology.

Technical field

The present invention relates generally to calculation element, relate in particular to the nonvolatile memory of update calculation device.

Background technology

Becoming important and popular user instrument such as personal digital assistant, contemporary mobile phone and mobile computing devices such as hand-held and pocket computer.Generally speaking, they become enough little, make them extremely convenient, and consume the less power of battery, and become at the same time and can move more powerful application program.

In making the process of this kind equipment, the embedded OS map is built in per unit monolithic image file usually, and be stored in the nonvolatile memory (as, NAND or NOR flash memory, hard disk or the like).As a result of, up to now, upgrading this kind equipment is a suitable complexity and resource-intensive problem, and it generally needs self-defining solution.

For example, upgrade this kind equipment and be usually directed to download whole new monolithic image file, it comprises the single static map of moving that institute develops and issues on cluster tool.Can easily understand, what no matter has changed, all need very a large amount of system resource (as, be used for interim preserving the storer that upgrades map, being used to network bandwidth that receives whole image file or the like), thus, device update process needs disposable self-defined solution usually.

Needs are a kind of more flexible than existing update mechanism, dynamic and effective, and are still the better method of the nonvolatile memory of fault-secure update calculation equipment.

Summary of the invention

Briefly, the present invention is directed to a kind of system and method from fault-secure mode to the nonvolatile memory of embedded device that use the software upgrading of self-contained, secure entity form in.Can use various types of software upgradings, comprise the renewal that can only comprise the change of last renewal.In addition, software upgrading can comprise executable code and data.

In one implementation, after restarting, the initial program loader is determined when renewal is requested or is underway, if then be directed to update loader and improper operating system code.The update loader operation is used for using to flash memory (or other storage media) in due course upgrading to confirm any renewal co-pending.For safety and control, update loader be in the system to Guared memory (as, NK subregion and system partitioning) sole entity with write access authority.Should be noted that the renewal application program also has the write permission to reserve area in the flash memory.

In order to upgrade, update package (can be various forms) is downloaded in the system, and is confirmed by bag affirmation process, this process be included as security reason check each bag whether by correct signature, and totally check whether bag is correctly constructed.If effective, then upgrade and lined up, and upgrade to detect expectation for the initial program loader is provided with a sign.Restarting equipment then.

After restarting, the initial program loader sees that updating mark is set up, and for example by with update loader decompress(ion) (if being compressed) to RAM and skip to the update loader code and impel update loader operation.With kernel bag (if having such) beginning, to each bag, update loader processes this bag, reaffirm them, based on the flash memory consideration item file in the modified R AM section and these files are write in its corresponding subregion when needed.Notice that the initial program loader keeps the flash memory non-locking, makes it can be updated loader and writes.

For explaining the bag content, each bag comprises the equipment list file that has about the details of this bag, update loader reads its content, comprises overall unique ID, bag version of sign, with other relevant dependence information, various setting of bag and be included in the interior file and the tabulation of FileVersion.This inventory file is included in the bag, and order bag is for self-described thus, and finally is stored in the equipment after installing.The set of inventory file comprises the database of the installment state of wrapping on the equipment on the equipment, and it can be enumerated.

Update loader unzips to map among the RAM about the various information of map by retrieval from subregion/map, handles compression and non-compression map.If compression then can not read information simply, reside in existing knowledge where as the Main Boot Record of the position by the active partition that will upgrade is provided and read.

In one implementation, at first use any kernel and upgrade, mainly by backing up existing kernel in the user memory through it being read among the RAM and it being compressed in the fault secure mode.Renewal is an integral body to subregion, if the kernel of backup is then deleted in success, and if unsuccessful, then decompress(ion) is also replied the kernel that backs up.

System partitioning is generally greater than the kernel subregion, and therefore, it is too big usually, to such an extent as to can't back up for the fault secure related causes.On the contrary, use the IMGFS file system to come to upgrade, use one at every turn to individual other module and file applications.Individual other module and file may be too big, to such an extent as to can't finish as a whole, therefore, can use renewal by less piece.

IMGFS can at first simulate renewal process, and this needs twice by this process, and promptly in first pass, IMGFS and renewal application program will not submitted any content to flash memory.If simulate successfully, then move second time, submit to reality to change.If the simulation failure, retry is simulated after reruning the bag validator, and imports the package list of the bag that does not comprise failure into.The new tabulation of returning with the bag validator moves simulation once more then.The retry simulation up to simulating successfully, does not perhaps have applicable any bag.Although this has prevented the data corruption that occurred in the bag that has taken place to destroy but still signed.

When using existing equipment list file to repeat by the module among the IMGFS, whether this process check file occurs in the new equipment inventory file of this bag.If not, then from IMGFS subregion deletion this document, process continues next file.If then obtain the new module sign, and the module head be loaded in the modular structure from the new equipment inventory file.

Upgrade for carrying out, upgrade the application program process and in nested circulation, cycle through each bag grouping, with each file in the pack processing individually.If lose power supply in this process, then a journal file can inform accurately this process rests on which file in which bag and this bag, and when recovering power supply, renewal can be proceeded from this.The part of above-mentioned processing comprises that (for executable code) upgrades the virtual address distribution to update module.

Renewal can be canonical form or binary difference (increment) form.Non-module does not need the virtual address correction, and in case carries out when scale-of-two upgrades and can be written in the storer.If file is a module, then handle each segmentation one at every turn; Each segmentation is written into (wherein, stream is the file system notion as an IMGFS part) in the new stream.If file is the routine data file, then data are written in the default stream.

Upgrade if module is a standard, then handle each segmentation in this module, comprise to reorientating whole segmentation, and whole segmentation is write in the new IMGFS file as new stream by virtual assigned device addresses distributed.The new and old module in the original place when writing new piece, is removed distribution with old storage block.Under the situation of standard, carry out recovery by the size of obtaining each stream in the new file that is write out, and the size of this segmentation in itself and the authority file is compared power fail.If the stream in the new file is less than authority file, then that is exactly a part that process stops, and can proceed to duplicate on data.

Under the situation of binary difference, on a piece, carry out the patch installing process at every turn, wherein, piece can equal page or leaf/sector-size.This is because may there not be enough flash memory space to keep the legacy version and the redaction of segmentation simultaneously.When creating new piece, old can be removed and distribute, because they no longer need.Upgrade for scale-of-two difference, this segmentation is created rarefied flow in the new module file, and old segmentation is read among the RAM.Original base address is reorientated go back in whole old segmentation.For each new in the binary difference file, order makes up new piece based on scale-of-two difference, and new piece is repositioned onto the addresses distributed by virtual address divider institute, and it is written out to rarefied flow.No longer need any old from ancient deed stream is disengaged distribution.

Under the situation of binary difference, dwindle the scope that rests on which segmentation by flowing big or small comparing, to handle power fail with the size of appointment in the head.In case determined this segmentation, patch returns next piece in proper order, and checks whether this piece is submitted.If block is submitted, then carry out examine with check suitable old submitted.In case find the piece that is stopped, (that is, not submitted as yet piece), then process continuation as usual.

For the memory fragmentation that upgrade to keep, to upgrade similar mode with the kernel subregion, use same renewal assembly to finish to keep segmentation upgrade (as, outside subregion).By each file in the pack processing, and whether definite this document be the binary difference module, handles each and keep relevant bag and upgrade.If not, then as long as from file, read file data and write in the zone of reservation.If the binary difference module, then read existing zone (as, to RAM) in, and poor to its application binary before the zone that data updated is write back reservation.

When below reading in conjunction with the accompanying drawings, describing in detail, can know other advantage.

Description of drawings

Fig. 1 be general expression can be therein in conjunction with the block diagram of computer system of the present invention;

To be expression be used to make things convenient for the operating system map of the subregion that the fault secure assembly upgrades and the block diagram of loader assembly according to one aspect of the present invention to Fig. 2;

Fig. 3 is that expression is according to the block diagram of one aspect of the present invention to the memory application update package of equipment;

Fig. 4 is the form of the equipment list file that wraps is described in expression according to one aspect of the present invention a block diagram;

Fig. 5 A and 5B comprise that expression is according to the definite more process flow diagram of the example logic of the initial program loader bootup process of new model of one aspect of the present invention;

Fig. 6 is the process flow diagram of expression according to the example logic of the whole updating process of one aspect of the present invention;

Fig. 7 A and 7B comprise the process flow diagram of expression according to the example logic of one aspect of the present invention renewal kernel subregion;

Fig. 8 A and 8B comprise the process flow diagram of expression according to the example logic of one aspect of the present invention renewal operating system partition;

Fig. 9 is that expression to equipment is used the block diagram that upgrade by dependency graph with piece according to one aspect of the present invention; And

Figure 10 is the example logic of the memory fragmentation that keeps is upgraded in expression according to one aspect of the present invention a process flow diagram.

Embodiment

The exemplary operation environment

Fig. 1 shows the functional module of such hand-held computing equipment 120, comprises processor 122, storer 124, display screen 126 and keyboard 128 (can be physics or dummy keyboard, or represent both).Can exist microphone 129 to receive the audio frequency input.Storer 124 generally comprise volatile storage (as, RAM) and nonvolatile memory (as, ROM, pcmcia card or the like).Operating system 130 resides in the storer 124, and carries out on processor 122, as Microsoft

Operating system or another operating system.

One or more application programs 132 are loaded in the storer 124, and operation on operating system 130.The example of application program comprises e-mail program, scheduler program, PIM (personal information management) program, word processing program, spreadsheet program, the Internet browser programs or the like.HPC 120 also can comprise the notification manager 134 that is loaded in the storer 124, and it is carried out on processor 122.Notification manager 134 is handled the notice request of Tathagata self-application program 132.Equally, as described below, HPC 120 comprise be applicable to HPC 120 be connected to the network network software 136 of (comprise and make call) (as, hardware drive program etc.) and networking component 138 (as, radio and antenna).

HPC 120 has power supply 140, and it is implemented as one or more batteries.Power supply 140 also can comprise ignores internal battery or to its external power source that charges again, as the AC adapter or power up the butt joint carriage.

Exemplary hand held personal computer 120 shown in Figure 1 is shown as has three types external notification mechanisms: one or more light emitting diodes (LED) 142 and audio frequency maker 144.These equipment can couple directly to power supply 140, make when be activated, even HPC processor 122 or other assembly are closed when preserving the energy content of battery, they also keep one period duration of being indicated by informing mechanism.LED 142 preferably keeps indefinitely, takes action up to the user.Notice that the contemporary version of audio frequency maker 144 uses the too many energy of current HPC battery, so it is configured to when the remainder of system is closed, perhaps is closed after one period definite duration after activation.

Note, although show basic HPC, yet, for realizing purpose of the present invention, can all be equivalent in fact with any equipment that can receive data communication and deal with data by a certain mode that program is used.

The fault secure of custom software image updates is used

The present invention generally is stored in such as based on Microsoft at installing and/or upgrading

Software on the small-sized mobile computing devices such as the portable set of CE.NET is included in wherein to the nonvolatile memory of embedded device, writes those equipment of initial software or software upgrading as flash memory.However, the invention provides the benefit of calculating on the whole, and may be used on the storage of other computing equipment and other type thus, comprise the storage media of various types of storeies and/or other type, as hard disk drive.For simplifying purpose, term " flash memory " the renewable storage of reference device later uses, and all is equivalent although be appreciated that arbitrary memory mechanism.In addition, term " map " generally comprises that initial software is installed map and to the notion of the software upgrading subsequently of this map, even only upgrade the part of this map.

According to one aspect of the present invention, use software upgrading self-contained, the secure entity form to the nonvolatile memory of embedded device in fault-secure mode.Can use various types of software upgradings, comprise the renewal that only comprises the change of last renewal.In addition, software upgrading can comprise executable code and data.Be appreciated that executable code is customized to the virtual address space environment of embedded device when mounted.According to the present invention, software upgrading is installed in fault-secure mode, and according to the stage of upgrading, allows to involve in (roll-forward) and rollback (roll-back) and recover option.

Following table provides some term described in the invention and general, the unrestricted definition of file type:

Term

Term	Generic definition
		Module	Single executable file (.EXE .DLL etc.)
Be provided with	The set of configuration information can comprise registration table setting, file system initialization instruction (.DAT

	File), data base initialize and supply XML
		Assembly	The module of composition characteristic unit, file (non-module file comprises template, font etc.) and the set that is provided with.Assembly generates the Modules label with system usually and is associated.
Bag	Signed and the set of the packaged assembly that is used to distribute
		Inventory	The file of bag content is described.In constructing environment, there is bag inventory file with .BIB extension name, it comprises the clauses and subclauses of describing the name of each file in the bag, but only comprises these.The equipment side inventory is the binary file of describing about all information of bag (the equipment side inventory file that sees below).
The shade sequencing tool	The processing components relational file also generates the build tool that wraps the shade file.

File type

Extension name	File type	General description
			.pkd.xml	Package definition file	Make up which definition exists wrap (bag name, GUID, version, local partner's (loc buddy) XML file in the tree
.cpm.csv	The assembly of bag mapped file	Make up in the tree MODULES label and File mapping are arrived the csv file that wraps
			.crf.csv	The component relation file	Make up the text of the relation (shade and dependence) between the definition MODULES label in the tree
.psf	Bag shade file	List the intermediate file (have in each bag,〉.psf) that to make all bags of shade by the bag of name in the constructing environment as＜bag name
			.dsm	The equipment side inventory file	The file (in each bag one) of bag (file in the bag, name, GUID, signature, shade, dependence, CRC, root certificate etc.) is described on the equipment
.pkg.cab	The standard APMB package	The full release that comprises the bag of the complete file of All Files in the bag
			.pku.cab	The update package file	The convenient file that equipment is updated to the different editions of same bag from the particular version of single bag.This document can comprise the binary difference of respective files or complete file, and they any one all minimizes the size of update package.
.pks.cab	Super APMB package	The file that comprises the set of update package and/or standard bag.

As described in the United States Patent (USP) of above-mentioned by name " in file, creating file system " in the abstract mode of memory technology, can make up initial map (comprise, hereinafter describe) from components, and in manufacture process, attach it on the equipment in self-defined mode.This map makes up with independent subregion, generally in Fig. 2, represents, and can be as hereinafter described by partial update, and do not need to replace the monolithic map.

Compartment model has made things convenient for the reliable renewal of following embedded device and the software on the existing device.With mean on one group of equipment, move to generate single static map in software development and distribution process opposite, the invention provides the better modularization of the renewable map of a kind of convenience, and be still fault-secure more dynamic map update mechanism simultaneously.For this reason, the invention provides and a kind of the operating system map is split into the independent renewable assembly that can upgrade separately, and keep any dependent mechanism more flexibly of assembly of striding.For supporting this notion, the starter operating system map is constructed with some crucial architectural feature.

Fig. 2 shows the example compartment model that is used to be installed in the operating system map 202 on flash memory and/or other the suitable non-volatile memory medium.For storing the purpose of kernel map, provide kernel subregion 204 as restricted/shielded subregion.Kernel/NK subregion is that the core fragment (kernel, file system etc.) of operating system map provides storage, and is included in the code of carrying out in the bootup process.The other parts (driver, application program, data file etc.) that provide restricted/shielded system partitioning 206 to be used for stocking system component applications and operating system map.As hereinafter described, these subregions 204 and 206 content are managed by file system driver, the physical mappings of their abstract storages, and service has been enabled a kind of according to fault secure of the present invention/recovery solution with the renewal of processing of assembly in the back-up system subregion 206 thus.Visit to the content of shielded kernel subregion is controlled by binary file system (BINFS), and the visit of the content of shielded system partitioning is controlled by image file system (IMGFS).

Fig. 2 also shows the user storage subregion 210 that (although in fact not being the part of operating system 202) system/user/can be used when needed, it can be in essence any file system format (as, TFAT).As hereinafter described, except that other possible use, this subregion can be used for some bag that interim storage will be installed in renewal process.Note, write Main Boot Record to define these groupings, as its skew/size.

Fig. 2 also provides the function diagrammatic sketch of loader environment.Generally speaking, so loader is responsible for making a bit the going up (by initial program loader 222 of decision-making that normal booting operating system still upgrades guiding with the program designation embedded system to making closing, it can be worked together in conjunction with the boot loader 224 that is pre-existing in, if present).Notice that the boot loader of " being pre-existing in " is to new equipment and nonessential, yet equipment manufacturers can determine randomly it to exist.

For upgrading guiding, the part of loader comprises the supervisor's (gatekeeper) who takes on arbitrary flash memory renewal update loader (UL 220).In a single day update loader 220 is responsible for confirming any renewal co-pending, and is identified, in due course renewal is applied to flash memory.Be security and control, update loader 220 be have in the system to Guared memory (as, NK subregion and system partitioning) sole entity with write access authority, and provide a single point of the integrality of responsible protection system storer thus.Notice that update loader is relatively large, and only when using renewal, use that thus, in one implementation, it is stored with compressed format, and among the RAM that is extracted when needed.

Fig. 3 represents update contruction mechanism/process.Note, the viewpoint of Fig. 3 from upgrading, before initially filled with initial program loader, Main Boot Record (MBR) and update loader (UL) assembly at equipment (as, by jtag interface or the programmer colony in manufacture process) afterwards.Equally, standard bag (hereinafter describing) is applied to kernel and the system partitioning from long-time memory/RAM.

In Fig. 3, with update package 302 (can be standard, incremental update or super bag, as hereinafter described) download in RAM of system 304 and/or the user data memory 210, might under situation about can use, download with manual or automated manner to equipment user's update notifications.This is that the arrow of the numeral 1 of zone circle is represented by label in Fig. 3 generally.

Thus, in case initial manufacturing map has been installed on equipment, the discrete portions that is packaged into the map of bag by renewal is finished map over renewal in the future.Generally speaking, bag is the self-described set of image file (code, data, script etc.), and in one implementation, it comprises by the set of signature and the packaged assembly that is used to distribute.Bag provides operating system map software document to be split into the method for the minor feature group of file.In one implementation, the whole operation system image comprises one or more bags (not comprising the loader assembly), and can only handle then as the summation of less bag, these less bags can individually be managed, be made up and be upgraded, its each all can individually or with other bag upgrade in combination, depend on the demand of each bag.Thus, according to the present invention, map is upgraded no longer to be needed to finish as whole operation system image zone.

Bag can dispose in every way, comprises " standard ", " increment/poor " and " super " form, its each all serve various purposes about software upgrading.For example, the complete copy of each file in the standard bag comprises, and increment/difference comprises the one or more files than the binary difference of older version that only comprise based on this document.Increment/difference bag is less with respect to other bag usually, and uses when attempting to optimize download cost and download time thus.Super bag comprises other bag, and needs download bag more than (as, for complementary bag) time uses for convenient.In one implementation, APMB package is a Win32 CAB file, and they comprise the file of inventory file (hereinafter describing) and definition such as the bag that will install.

Standard wrap in the building process by with operating system features and metadata (as, the executable code of application-specific and relevant data and configuration information) being associated with package definition generates.Increment/difference bag is by the content application binary difference algorithm to two standard bags, and catches increment/difference and wrap in the dependence that has on the baseline standard bag version, generates from the standard bag.In case operating system map feature and metadata are mapped to other bag, as general description in the above-mentioned U.S. Patent application " self-describing software image update components ", enumerate the content of bag by using wrapping tool, and can be used for the relevant correction of storer and upgrade being updated in the future to make them by handling executable file (with the reorientation instrument that is called RelMerge), create each bag.

When the user guides renewal process, the bag validator is examined bag, as described in the patented claim of above-mentioned relevant " determining to upgrade collection to effective maximum depended software is installed " by name and " guarantee that software upgrading only install on specific equipment or device class or move ".If be identified, system is provided with updating mark in flash memory, and restarts.Note, as hereinafter described, preserve updating mark, make and losing under the situation of power supply, in case the guiding of update loader code, equipment can reenter more new model.

After restarting, initial program loader 222 sees that updating mark is set up, and the update loader of compression unziped among the RAM 304, as represented among Fig. 3, and control is delivered to update loader code 308 by unpressed update loader code 308.This is that the arrow of the numeral 2 of zone circle is represented by label in Fig. 3 generally.Note, when update loader begins to upgrade application program, upgrade application program and use listed files, or rerun the affirmation process before equipment is restarted by one group of catalogue standard that the updagebin.exe application program is provided with.Reruning the affirmation process replaces with the malice of prevention bag.

Begin with kernel bag (if any), for each bag, this bag of update loader processes, consider the file in the item modified R AM segmentation 310 and use the BINFS service that file is write in its corresponding subregion based on flash memory when needed, as being shown in 3 to 6 the arrow by label among Fig. 3.Revise general description hereinafter, and also in the related application of above-mentioned " self-describing software image update components " by name, description is arranged.

Each bag comprises equipment list file 400, and it comprises the details about this bag, represents as among Fig. 4.Inventory file is the authority file of each bag in essence, and comprise overall unique ID such as bag sign, bag version, with other be surrounded by the pass dependence information, be provided with, be included in interior listed files and FileVersion and other shared information such as common characteristics.Inventory file 400 is included in the bag, and order bag is for self-described thus, and it is checked in installation process, and finally is stored on the equipment.The set of inventory file comprises the database of the bag installment state on the enumerable equipment on the equipment.

In corresponding to a realization that is included in form in the equipment list file shown in Figure 4 and information, the equipment list file is also described with following organization definition:

typedef?struct?DeviceManifestHeader

{ const DWORD dwStructSize; // be used to specify size (with byte representation) the const DWORD dwPackageVersion of this structure of version; The version const DWORD dwPrevPkgVersion of // this bag; The version of // the bag that this bag upgraded, (0) are represented standard const DWORD dwPackageFlags; // bag unique identifiers const DWORD dwProcessorID; // what processor (definition among the coupling winnt.h) const DWORD dwOSVersion; // be building up to what version const DWORD dwPlatformID of operating system; // target platform is any const DWORD dwNameLength; // with the filename length const DWORD dwNameOffset of byte representation; // to the skew const DWORD dwDependentCount of the friendly name of bag; // rely in the GUID tabulation how many clauses and subclauses const DWORD dwDependentOffset are arranged; // from the front end of file begin to have how many bytes be rely on //GUID structure const DWORD dwShadowCount; In // shade GUID the tabulation how many clauses and subclauses const DWORD dwShadowOffset are arranged; // to begin to have how many bytes from the front end of file be array const DWORD dwFileCount with the bag GUID of // shade; How many file const DWORD dwFileListOffset have been listed in // this inventory; // begin to how many byte const DWORD cbCERTData of first file entries // have from the front end of file; The byte number const DWORD dwCERTDataOffset of // digital certificate data; // begin to how many byte const GUID guidPackage of certificate data // have from the front end of file; The GUID of // this bag } DeviceManifestHeaderm*PDeviceManifestHeader; Typedef struct_DependentEntry{ const DWORD size; Const DWORD version; Const GUID guid; DependentEntry, * PDependentEntry;

Typedef struct_FileEntry{ const DWORD dwNameLength; Const DWORD dwFlags; Const DWORD dwOffset; Const DWORD dwBase; // this document at first with its base address that links FILEENTRY, * PFILEENTRY;

Each bag of being created is signed for security reason, can be used for download/installation then.As described in the related U.S. patent application of above-mentioned by name " self-describing software image update components ", bag generative process/bag maker robotization comprise establishment by the APMB package of the full release that wraps the defined file of description document.Generally speaking, bag maker input package definition file (as, specify by the order line independent variable); Other input file is determined based on the package definition file content of appointment.Bag maker analysis package defined file (as, comprise one or more package definitions, each bag is as XML document clauses and subclauses codings), and can analyze to comprise and relate to and the bag shade file of data that is used for being surrounded by such as other of settings such as registration table is provided with priority of pass.In addition, the analysis of bag maker makes up inventory file to find out each file of wherein appointment, determines the type of this document then.For the executable file type, the bag maker call carry out the reorientation associative operation and carry out format (as, executable file is converted to The CE file layout) process (RelMerge).

In one implementation, the bag maker comprises that use is called the application program as the .NET class libraries of PkgCommon.Bag maker application program is created a plurality of sub-directories, and the quantity of the sub-directory of being created equals the quantity of the effective bag during the bag of appointment is set a file in the order line.Each bag has at bag and is unique sub-directory of its establishment in the generative process.In addition, the bag maker uses the other file of information creating that finds in the package definition in each sub-directory.For each bag, create an equipment list file, the name of this equipment list file derives from the GUID of this bag.For each effective package definition, create an APMB package to comprise the file that comprises this bag, comprise the equipment list file.These APMB packages meet 1.3 editions forms of CAB file of Microsoft.

Installation process is used the content of equipment list file in a large number, both has been used for being installed in those bags on the equipment, is used for being used for by lining up those bags that may install on the equipment again.Package informatin API is designed to provide the abstract method of inquiry packet information, and not only at equipment but also making up on the main frame and use.API has a detailed description in the related application of above-mentioned " determining to upgrade collection to effective maximum depended software is installed " by name.

Management is to the renewal of kernel or system partitioning and send it on the equipment that uses machine contracting system.Bag is sent to equipment, is stored in the temporary storage, also is used for installing by arbitrary suitable method by queuing, as the assembly by the existing operating system map.Can use the arbitrary suitable transmission method (physics and/or interface protocol) that is used for equipment that bag is sent to, and method can change according to the bag that will upgrade (as, be wireless to smart phone, intelligent display screen is USB, some desktop computer is upgraded application by a certain physical connection, or the like).End-user interface impression will be according to the type of the equipment that is upgraded, and is changed by the renewal process of equipment manufacturers' customization.According to fault secure of the present invention aspect, each interim bag is stored in the long-time memory, makes and is losing under the situation of power supply, and system can recover and continue to install.

When calling bag validator storehouse, trigger renewal process.In one implementation, the executable file of UpdateBin.exe by name is associated with .pkg.cab .pku.cab and .pks.cab file extension.This executable file utilization bag validator storehouse determine to update the equipment group of employed bag.

Signature, affirmation that the inspection of bag validator is wrapped are wrapped content, are examined version or the like.In case it is suitable that update package is considered to, they are used for installing by queuing, and validator that updating mark is set is available to upgrade to the equipment signaling, restart system then.

When restarting, initial program loader 222 is from first code snippet of the reset vector operation of CPU (although some equipment, the initial program loader can carry out program designation by existing boot loader map).Initial program loader 222 is responsible for determining whether equipment is in more new model, and perhaps whether equipment is in the normal boot pattern.If equipment is in the normal boot pattern, initial program loader location and with program designation operating system map then, otherwise, the update loader map 308 of initial program loader location, decompress(ion) and usefulness program designation decompress(ion).Fig. 5 A and 5B have described initial program loader bootup process.Shown in Fig. 5 A, after some initialization of step 502 (as, initialization CPU, if NAND is then initialization controller, initialization SDRAM or the like), the initial program loader is determined the reason that resets by step 504 and 506.More specifically, sequence is restarted in the imitation when the state from hang-up continues to carry out of some CPU architecture.Then, guidance code will continue to carry out to distinguish with " normally " guiding based on the CPU register value usually and come.The initial program loader regulate to continue executable operations, and step 504-508 is shown for integrality.

If not continuing execution, then step 506 is branched off into step 510-528, as can be seen, detects more new model, and if upgrade, then scans update loader subregion (step 520), otherwise at step 518 scan operation system partitioning.As by 522 being seen, under the situation of the operating system map on the initial program loader can't positioning equipment, the initial program loader is attempted to load and the operation update loader.If do not find suitable subregion, then output error (step 532); Attention at this constantly, equipment does not use operations such as normal display driving software, thus, this constantly shown any image all be bitmap from data-carrier store.

In addition, when being directed to operating system, by step 524 locked flash, this step is not carried out when being directed to update loader.Process proceeds to the step 538 of Fig. 5 B then, to handle compression and non-compression map.Notice that Fig. 5 B can be used for update loader or operating system.Update loader (on typical equipment) stores with compressed format, and operating system can be compressed or not with the compressed format storage, depend on whether this equipment is the equipment (if then can not be compressed) that allows code to carry out in the original place.

If be compressed, unzip among the RAM then from the various information of subregion/map retrieval, and with this map, and begin to carry out by step 540-546 about this map.Note, can use arbitrary proper compression algorithm, as long as the form of compression type and packed data is that the initial program loader is known.If be not compressed, then step 538 read information from the subregion sector in step 544, search catalogue (TOC) from this sector about this map, skew and signature.For this reason, the initial program loader has the priori where Main Boot Record resides in (next the good flash block after the initial program loader map initial), and searches active partition in the partition table in being stored in Main Boot Record.Thus, the initial program loader depends on the ROM map/disk image of the catalogue (TOC) with the original place execution area that correctly is arranged in the operating system map simultaneously and update loader map.In one implementation, provide as the position below:

Byte offset (map is initial+0x40):

UNIT32?ROMSignature；

UNIT32*pTOC；

This information is used to search TOC (as being placed by ROM map/disk image) by the operating system map.Pointer only is opened in Memory Management Unit (MMU), and mapping is meaningful during with the address compatibility that it made up the operating system map.A kind of alternative is following realization:

Byte offset (map is initial+0x40)

UINT32?ROMSignature；

UINT32*pTOC；

UINT32?TOCOffset；

Wherein, TOCOffset is the byte offset from the map reference position to TOC, and can is used for not searching TOC knowing that this map is implemented under the situation about where moving by initial program loader (or update loader application program).

The initial program loader also can be checked signature, and is represented as step 548.If invalid in step 548, then bootup process is suspended in step 550, and map is initial, map length to find out otherwise read catalogue by step 552 and 554, and skips to this address from catalogue.This address of tables of data correction that step 558 is supplied based on manufacturer where necessary.More specifically, the initial program loader is normally operated in the physical address space (or sometimes in the virtual address space that is different from operating system map or update loader map) of equipment.This routine is responsible for converting any map particular virtual address (as, operating system map TOC value) to initial program loader compatibility address.If the boot routine not enabled Memory Management Unit of manufacturer this means virtual address translation is become physical address.If enabled Memory Management Unit, and the mapping and how to make up operating system or update loader map compatibility, then without any need for conversion.

Step 558 test map is to be loaded into (if then occur in step 562) among the RAM, still can carry out in the original place.The map (loading or original place) that jumps to shown in step 564 begins to carry out then.Adopt the position of active partition, initial program loader (as designed) under the situation of NAND (maybe may be NOR) with the load content of active partition (kernel subregion) in RAM, if perhaps it is NOR (original place execution) kernel, then skip to the leading address in the subregion.If normal boot, then kernel begins and continues to load the operating system assembly that is positioned at the kernel subregion equally, can read from system partitioning to point out operating system.Any content that is not arranged in the kernel subregion is in this taken out (perhaps load or carry out in the original place) from system partitioning, guided fully up to the operating system map.

In one implementation, the initial program loader is relatively very undersized component software, and it makes program designation by the reset vector of CPU, and is responsible for loading/beginning operating system map or update loader map conditionally.As mentioned above, the initial program loader needs to read various registers, comprises RAM sign, flash memory/non-volatile sign and hardware switch, to determine that it is to guide normal operating system map or update loader map.More specifically, the initial program loader need check by the UpdateBIN application program (as, after confirming) or any sign of being provided with by the update loader application program because the operating system map is moved with read-only flash memory file system usually.For adapting to the power fail condition, it should be non-volatile upgrading mode flags, thus, if can't before restarting, store non-volatile sign, then the update loader application program is provided with non-volatile sign when moving for the first time, and after successfully finishing installation, remove this sign, make this sign stride power fail thus and be able to lasting preservation.

In addition, the initial program loader need be with various types of memory technology analyzing stored partitioned organizations, searching map, and can handle compression map type and flash memory XIP (carry out in the original place in flash memory) and RAM map (copying to RAM carries out).Generally speaking, the abstract memory attribute of initial program loader, as the piece of partitioned organization, reservation, bad piece or the like, and be used for any memory technology of the code that arbitrary OEM provides details (as, NOR flash memory, nand flash memory, HDD, DOC or the like).The initial program loader can confirm before with the program designation map operating system map and/or update loader map integrality (as, by carrying out verification and and signature verification), renewal also provides the method for examining the trusted code that is used for Digital Right Management thus as detection of malicious, and it need trust the UUID that returns from the kernel map is provided by the code of not distorted mala fide.

Thus, being seen and go out as shown in Figure 3 as Fig. 5, when in new model more, initial program loader 222 unzips to the update loader 220 of compression among the RAM 304 as the update loader 308 that decompresses, keeps the flash memory non-locking and carry out beginning with the write access authority of 308 pairs of system flash of update loader of decompressing and the loader code that skips to decompression.When by the initial program loader during for the first time with program designation, the update loader application program need store this equipment of indication and be in the more sign of new model in nonvolatile memory.This is because the operating system map may have read-only flash memory file system, and this sign can't be set, and recovery is important and this is to loss of power.The initial program loader is checked the existence of RAM sign and this non-volatile sign when determining that loading the update loader map still is the operating system map; The RAM sign is provided with by UpdateBIN application program (directly or indirectly).

Turn to the explanation of renewal process, as mentioned above, the process that is used to upgrade kernel or system partitioning content is carried out after update loader is guided fully and is loaded into RAM, and the bag (as specified by validator) confirmed to find out in the user memory of operation.Notice that update loader comprises necessary file system driver, and once begin the renewal process of a bag.The package informatin that is used for update package is recorded in file system, is used in renewal in the future by validator.According to one aspect of the present invention, for being provided, fault secure upgrades, and the initial program loader can recover by any point in loading procedure from power fail at random.For this reason, in transaction journal, follow the tracks of more new development, to allow to involve in renewal just in case power fail in renewal process, occurs.

In new model more, the update loader operation also begins to upgrade application program, and it is the executable file as the part of update loader map 308 (Fig. 3), and is responsible for wrap content application and arrives NK/ kernel subregion 204 and system partitioning 206.In other words, the renewal application program that is loaded by the initial program loader in renewal process is responsible for the bag renewal is applied to map.Notice that the update loader map comprises upgrades the required minimum module collection of application program, as nk, filesys, flash drive program, coredll, IMGFS or the like.

Fig. 6-8 has described application program and system partitioning renewal that whole updating process, NK/ kernel subregion upgrade respectively.Upgrade application program and work with the affirmation bag, and work to handle virtual and physical allocation, correction and arrangement function with the ROMIMAGE module with the bag validator.Being seen as Fig. 6, upgrade application program step 600 retrieval bag install tabulation (as, from registration table), confirm bag (step 602) by validator.In new model more, upgrade application program and be responsible for bag content application is arrived NK/ subregion and system partitioning.

To wrap content application before the nonvolatile memory upgrading application program, and confirm bag, this (especially) comprises that the signature inspection is to examine bag from trusted sources or the like.As can easily understanding, but know that bag upgrades from trusted sources and guarantees to exist single credible supervisor that flash memory is had a write access authority is important when the integrality of the flash memory of attempting to comprise equipment.Update package in building process, sign and suppose they be by upgrading the signature of one of many each bag trusted sources that may be different, and allow to continue by above-mentioned bag affirmation process.If they are not signed or not by the trusted sources signature, then bag is confirmed failure and is not updated thus.

Notice that the design of system is to make that the unique component software that is allowed to upgrade flash memory contents also is to be responsible for checking the same assembly that the validity (comprise and check signature) of arbitrary bag of (update loader) is installed by queuing.Same attention, update loader can not comprise any insincere or third party's code, as the general-purpose operating system.Thus, this system only moves trusted code, is not subject to the influence of distorting.When the off-duty update loader, this design has utilized forbids the hardware lock mechanism (at hardware layer) that partly writes to flash memory, and this part that need not at first to reset (it depends on CPU usually, and needs thus to reset simultaneously).In addition, the read-only version of operating system map include file system guarantees further that thus flash memory contents is nonupdatable, removes nonsystematic and is in the update loader environment, wherein, guarantees that bag is confirmed and safety inspection is carried out.

Examine also comprise the correctness of checking the bag content, with the information in the equipment list file with to wrap content relevant and guarantee that file (by name) is at one and only exist in a bag.The necessary version of confirming also to examine bag has been installed in the system or has been installed by queuing.For example, if the version 1.0 of bag A has been installed in the system, and increment/difference bag A becomes version 3 .0 with version 2 .0, then needs one will wrap bag that A becomes version 2 .0 and be lined up and install, and is installed so that this increment/difference is wrapped.Also satisfy and comprise that examining necessary dependent other of bag examines.For example, if the version 2 .0 of bag A depends on the content of version 3 .0 of bag B, then examine and check that back one bag has been mounted or has been lined up and confirm to install.Bag affirmation process also has description in the U.S. Patent application of above-mentioned " determining to upgrade collection to effective maximum depended software is installed " by name.

The result who confirms process on the equipment is the tabulation that can be installed in the bag (and file) on the equipment, because they have satisfied the affirmation demand.The affirmation process also generates can not be together with the package list of installing about the data why each concrete bag affirmation process is failed.The remainder of installation process only utilizes those bags by confirming.

Turn back to Fig. 6, update loader is responsible for any renewal is applied to kernel subregion (step 604 and 606), and any system update is applied to system's grouping (step 608 and 610).If other renewal is arranged, radio segmentation as the reservation of storer (is present in outside the scope of subregion, promptly, be arranged in the assigned address of flash memory uniquely, its partitioned organization is defined in reserve area " on every side "), then they are handled similarly by step 612 and 614, and Figure 10 is described as reference.

Bag can be deleted by step 616.In step 618 sign is arranged to a value (as cleared),, when making kernel renewal or system update, upgrades this system image, the starting system (step 620) of laying equal stress on the pilot operationp system image.

Fig. 7 A and 7B show the general logic that kernel upgrades, and wherein (carry out in the supposition original place) by existing kernel is read among the RAM, and is compressed to it in user memory, backs up this kernel.This is by step 700 expression, and wherein, the XIP subregion that is shown as the XIP file with a default document by file system obtains the handle that it is used for whole map is read in local buffer.In user memory, create new file, call packing routine and compress map, and then the file data of compression write in the new file.

Step 702 read head and other metadata.For this reason, this process Walkthrough (walk) pToc (bibliographic structure) is with the position of determining each segmentation, fill old module list and the segment data pointer is set with the appropriate location in the copy in the RAM that is oriented to backup and is created with module information.The part of existing TOC is saved and is copied among near the terminal new TOC that upgrades near the NK/XIP subregion.Notice that when the head of read through model, this process is also read the used equipment inventory file to search extra sign (compression, kernel module, slot 1 are ignored [L sign] or the like).

By step 704 and 722, subsequently by each module in the pack processing (step 706 and 720), determine whether this document is that bindiff (binary difference) module is handled each bag.This relates to each module that cycles through in each bag, and the using standard renewal, and the whole copy of new file wherein is provided; Or the application binary difference upgrades, and the binary difference of file wherein only is provided.The process of application binary difference is called as patchbin (beating binary patches); Independent binary difference is finished in each segmentation, finishes one at every turn.The head of new module provides with original canonical form.When updating file one by one, they are added to (with the form of file object) new listed files.There is the new listed files of the not invulnerable release that comprises update module and file in last in this step.If they are existing files, then they are removed from old tabulation, make last in this step, old tabulation only comprises the file that it not have renewal.Notice that this process knows that based on the existence of bag inventory file in this subregion which (a bit) bag is associated with this subregion.Any new bag of not installing on equipment as yet is stored in the IMGFS subregion.

Thus, in step 708, if not the binary difference module, then as long as add this module to new tabulation in step 718.If the binary difference module, need then to use that these are poor, to each execution in step 710-716 one after another of each segmentation to old code.

More specifically, as mentioned above, increment/difference comprises one or more binary difference files, and each binary difference file is corresponding to a specific file/module.This difference file is carved the specific baseline version that is updated when mounted based on it, and the binary difference file is usually less than the whole regular file of gained version, thus, it has improved download time/cost, and has reduced the temporary storage overhead that needs in the installation process.The binary difference file generates based on the difference that detects the file/module between two different standard bags constantly at structure.If file is an executable module, then they are handled by linker, and are arranged in the address of linker definition.They are not relocated to final position as yet, and this will be engraved on the equipment when mounted as described above and finish.

For the binary difference that makes executable module can be applied to the baseline version on equipment, this baseline version need be disengaged reorientation, turns back to the base address that generates from its linker that calculates this binary difference.In case the releasing reorientation version to module has been used this binary difference, it can be repositioned onto suitable basic virtual address.The process of removing reorientation and reorientation is identical, and is displaced to certain location by the base address with module and finishes.

After having handled each bag, kernel upgrades the step 724 that proceeds to Fig. 7 B, and wherein, any module that is not modified as yet is added to the new module tabulation.In this, the ancient deed tabulation comprises module and the file that will not be updated; These need be disengaged correction, turn back to original base address, make that existence can be by a unified list of the not correcting module of bulk treatment and file.The object that appears in the new equipment inventory file in the ancient deed tabulation is transferred to new listed files.Notice that if file is deleted, then it does not occur in the new equipment inventory file, and therefore be not placed in the new module tabulation.

Memory allocation and correction are carried out in step 726 and 728, and in step 730 new original place execution kernel map are write back in the flash memory, and this is also finished by the disk image instrument, and realizes (as described below) in romimage.dll.There is a function among the romimage, it adopts module list, and, make up new map by distributing new impact damper to make up new map, cycling through module list and copy to the correct position of appointment in the catalogue (TOC) to duplicate by the segment data of the appropriate position of data pointer appointment and with head and filename string.As hereinafter described, write new TOC at the end of map, and upgrade the pTOC pointer to point to the position of placing new TOC.Same as hereinafter described, the data sementation band of following the tracks of in the slot 0 is used for the NK/XIP map, and it is connected with the IMGFS band, and is output in the IMGFS renewal process in the IMGFS file that comprises the ROMINFO structure.

When flash memory write goes out any content, this process writes down in journal file and writes well afoot.Finish in case write, it is recorded, and thus, if lost power supply before the deletion backup file, also knows correct state.

If whole process all is successful, then at step 732 deletion backup file, this is included in and writes the XIP subregion to journal file after deletion this document and finish.If mistake has appearred in the arbitrary step in the NK/XIP renewal process, if increase the size that has surpassed subregion such as map, then recover the backup version of this map, and the indication of suitable user interface mistake appears in renewal process and recovers original map.If can not successfully write backup version (as, in the flash memory mistake), then provide a different UI message mistake in renewal process, to occur, but original map can't be resumed and may be destroyed with indication.

Equally, the state of record renewal is used for UpdateBin.Notice that this is different, upgrading the employed journal file of application program is internally to be used for transaction journal.

In this, there are the module of this map of composition and the single listed files of file.This is with identical in conjunction with the performed initial installation of romimage.dll by the disk image instrument, as described at the U.S. Patent application of above-mentioned " creating file system in the abstract mode of memory technology in file " by name.

On higher rank, the bag installation process relates to be extracted the bag content and applies it to equipment.Yet these mechanism comprise the main some steps that center on the notion of code correction or code reorientation.The present invention is engraved in when mounted to carry out on the equipment and revises and reorientation, carries out but not be engraved in the constructing system when making up.Benefit is the bag erectility to particular system because install do not need the entire equipment map make up constantly available.On the contrary, its allows bag to upgrade to be used as to handle from the entity that the specific operation system map configuration that is installed on the equipment is largely isolated.

For making the executable module can be by reorientation, module need comprise the information of addressing in the module that needs are updated when instructing steady arm to change in the location, base address of module.The map update module utilizes the relocation information coding mode to provide this information with the form with compression in executable module itself.

As institute's general description in above-mentioned U.S. Patent application " self-describing software image update components ", the RelMerge instrument changes into module (.EXe or .DLL) and is fit to be included in the bag, and therefore can be installed to the form of equipment.This comprises relocation information is changed into the compressed format that is more suitable for standing storage on equipment, and top of file is changed into the rom variable that is used by the ROMFS file system on the equipment.In addition, when rearranging, the filling of any surplus is also removed from all segmentations of file.

In case with this information coding, can change the basic virtual address of executable module, but and all relevant address references in the modified module, to solve the variation in the base address.Repositioning process utilizes the code library of sharing between equipment and desktop computer.Under one situation of back, it is used to create initial manufacturing map, makes to carry out actual reorientation on code module, and also is used to create the tabulation of employed virtual address space when each update module is installed, thus, allow the consumer of API to believe that the module reorientation can be not overlapping.Initially make map by disk image instrument and romimage.dll building component and in the relevant U.S. Patent application of above-mentioned " abstract mode is created file system in file with memory technology " by name, description is arranged.

Generally speaking, virtual/physical allocation and correction and disk image instrument are worked in the same manner, that is, the location is from the old catalogue (TOC) of NK/XIP map and locate old ROMINFO.The pointer of bearing direction TOC is gone up in fixed position in map (as, skew 0x44).From the IMGFS file that is called " .rom ", read old ROMINFO structure.

For distributing virtual address, slot 0 divider begins with the top of slot 0, and finishes based on the value dwSlot_0_DllBase in the IMGFSROMINFO structure.Slot 1 divider begins with the top of slot 1, and finishes based on the value of the value dwSlot_1_DllBase in the IMGFS ROMINFO structure.VA with code and data correction Cheng Xin distributes then, and makes whole module list use.Compression is marked as the segmentation of compression, and its size is recorded in the module object.

For distributing physical space, RAM is used RAMIMAGE, and flash memory is used ROMIMAGE to map.For RAM, RAMIMAGE physical allocation device uses the start address of the physfirst of old TOC as the physical allocation device.The end of physical allocation device is designated as the ulRAMEnd of old TOC at first.For RAMIMAGE, return RamStart=PhysFirst+PhysLength (physical length that map is required) by the physical allocation device; The virtual address position of determining the copy segmentation is from RamStart, and begins therefrom, and the text/data that relate to the copy segmentation are corrected.

For ROM, ROMIMAGE physical allocation device uses the physfirst of old TOC to be used for the start address of physical allocation device, and the end of physical allocation device is determined by the length of using GetPartitionInfo to obtain the subregion on the flash memory.

Notice that the TOC of renewal generates in the physical allocation process.

Different with the XIP subregion, in the IMGFS subregion, do not make whole map again, to such an extent as to because this can't back up too greatly.On the contrary, the IMGFS file system is used for upgrading to individual other module and file applications, upgrades one at every turn.In addition, notice that individual other module and file may be too big,, then can use and upgrade, as hereinafter described with reference to figure 9 by less piece to such an extent as to can't do as a whole finishing.

IMGFS upgrade to use NT to upgrade employed identical file tabulation, although a tabulation will be updated when having served as the Cheng Qian and advancing.As hereinafter described, IMGFS at first simulates the renewal process, needs twice by this process.In first pass, IMGFS and renewal application program are not submitted any content to flash memory.If simulate successfully, then move second time with reality submission change.If the simulation failure, then retry is simulated after reruning the bag validator, and imports the package list of the bag that does not comprise failure into.The new tabulation of returning with the bag validator moves simulation once more then.The retry simulation up to simulating successfully, does not perhaps have till applicable any bag.Although this prevention may have the data corruption of destroying but still occurring in the quilt bag of signing.

Fig. 8 A and 8B show the general logic that system partitioning upgrades, and wherein, upgrade the read/write version interface of application program and image file system driver (IMGFS), with the management system subregion.Notice that in normal (non-renewal) operation of canonical system, system partitioning is read-only (and flash memory is locked) for the IMGFS driver.In addition, notice that different with the kernel renewal, system update does not back up as a whole, although transaction journal can return to equipment fault (as power fail) its position in the system update process before, and system update can be proceeded from that.

In step 800, the existing module in the scanning system subregion (imgfs zone), and add them to virtual address (VA) divider.In scanning process, this process also detects the deletion situation.More specifically, when using the existing equipment inventory file repeatedly by the module among the IMGFS, whether this process check file occurs in the new equipment inventory file of this bag.If not, then this document is deleted from the IMGFS subregion, and process continues next file.If then obtain the new module sign, and use IOCTL_BIN_GET_E32 and IOCTL_BIN_GET_O32 that the module head is loaded in the modular structure from the new equipment inventory file.Note, at this moment, do not read in the data that are used for module and file data, because do not need.In case read in each module head, then this module list be delivered to divider to keep virtual address (comprising the segmentation of the reservation of learning in the reservation table from be stored in flash memory).

In case scanned existing module, and defined the virtual address of current distribution, this process has been ready to begin upgrade.For this reason, process cycles through each bag (by step 802 and 828), and circulation (by step 804 and 826) is handled each file one by one by each file in the bag.File is handled with the order of the net gain of size, from shrinking maximum files, and to increase maximum end of file.The increment of file size is definite by the used equipment inventory file being compared with the new equipment inventory file come.

If in this process, lose power supply, then journal file will inform definitely this process rest on which bag and the bag in which file on.This process is proceeded at the file place that is stopped, and completed updating file is used as the existing file processing on the power fail this point.Be recovery, any new module in the renewal process is not included in the initial reservation, and old module is in reservation.Old module virtual address space is removed distribution as usually.If new head is write out, then it will comprise the virtual address space distribution that is used for this new module.In this case, use Reserve (reservation) function to add it to virtual address space divider.If new head is not write out as yet, then use Allocate (distribution) function to distribute new virtual address space as usually.

The part of above-mentioned processing comprises (for executable file, but not data file) upgrading the virtual address that is used for update module distributes, this is by determining whether virtual address changes, and if, then shown in step 806, remove to distribute old virtual address space and be used for new module and distribute virtual address space to finish.If the virtual address size changes, then call Deallocate (remove and distribute) function and remove old virtual address space from divider, and to call Allocate (distribution) function be that new module is distributed new virtual address space, imports suitable alignment requirement into according to code or data.Remove and distribute and can in this case, delete old module corresponding to the order of removing module by step 808 and 824, (if but it is the new module of just installing, then do not delete).If not delete command, then step 810 is called CreageFile (establishment file) function at IMGFS, for example uses new_＜module_name when the new file of name 〉.＜module_extension 〉, in the image file system, to create new file; (,, then no longer creating it) if this document has existed for recovering during at this operation near fault at power supply.

For executable file, step 812 is read in new head in the module object by using IOCTL_BIN_SET_E32 and IOCTL_BIN_SET_O32, and distribute with new virtual address space and to upgrade this head and write suitable head to executable file, shown in step 812.Each operates among the IMGFS is atom.In this, head should be complete.No matter data pointer (dataptr) (being 0) is because IMGFS forges this value when kernel requests E32/O32.Head is a canonical form, or even in the binary difference file.

If when writing head, lose power supply,, then do not need to finish any recovery if two heads all exist.If only write out the E32 head, then only need to write out once more the O32 head.The existence of each head can be known by IOCTL_BIN_GET_E32 and IOCTL_BIN_GET_O32.

Upgrade for using, notice that the renewal to file can be canonical form or binary difference form.If the file that upgrades is not a module, then handle the data of this document in the mode identical with indivedual segmentations.If this document is a module, then, handle one with each segmentation of sequential processes of net gain at every turn, begin to shrink maximum segmentations.At first handle the .creloc segmentation.Each segmentation is written to a new stream.If file is the routine data file, then these data are written in the default stream.

If as assessing in step 814, module is that standard is upgraded, then each segmentation in the step 816-822 processing module, comprise whole segmentation is reoriented to by virtual assigned device institute's addresses distributed (step 818), and whole segmentation is write in the new IMGFS file (step 820) as new stream.Then in the old module of step 824 deletion, unless old module is actually new module.

Under the situation of standard, by obtaining the size of each stream in the file that is write out, and it is compared with the size of this segmentation in the authority file, carry out recovery to power fail.If newly the stream in the file is less than authority file, part that process stops that then Here it is, and can proceed on data, to duplicate.

Under the situation of binary difference, a piece is finished patchbin (beating binary patches) program (as hereinafter described with reference to figure 9) at every turn, wherein, a piece equals page or leaf/sector-size.This is owing to may there not be enough flash memory space to keep the old and redaction of segmentation simultaneously.Can be as creating the piece of new file by the specified any order of binary difference file, the feasible process that can finish patchbin by preferential use flash memory space.When creating new piece, old can be disengaged distribution, because they no longer need.

For this reason, if in step 814, module is not that standard is upgraded, and then process is branched off into the step 832 of Fig. 8 B, and wherein, integrating step 852 cycles through each segmentation in this module, upgrades with application binary on the basis of block-by-block.More specifically, step 834 is created rarefied flow for this segmentation in the new module file, and (step 836) among the RAM read in old segmentation.Whole old segmentation is relocated gets back to original base address (step 838).

For each new (step 840 and 850) in the binary difference file, order makes up new piece (step 842) based on binary difference.New piece and is written out in the rarefied flow in step 846 on step 844 is relocated to by virtual address divider addresses distributed.Any old that no longer needs in the ancient deed stream be disengaged distribution, as by shown in the step 848.The notion that piece upgrades is also described with reference to figure 9 hereinafter.

Under the situation of binary difference, power fail is handled by dwindling the scope that rests on which segmentation, and this compares with specified size in the head and finish by flowing size.In case determined segmentation, the example of establishment patchbin as usual.When order when returning next piece (patchbin output must be to reproduce/confirmable), check whether this piece is submitted.Because it is atom that piece is write, and can't submit the part piece to.If block is submitted, then abandons the data of returning from patchbin, and carries out and to examine to check that suitable old has been disengaged submission.In case find the piece that is stopped, (that is, not submitted as yet piece), then process continuation as usual.

For finishing, if this is existing file or piece, and be the binary difference situation, then delete old module (under the standard situation, this document is deleted), and journal file writes down this module and finishes.If bag is done, then replace this situation of record.When having finished all bags, with the ROMINFO topology update .rom file that upgrades, it comprises slot 0 basis, slot 1 basis and is used for slot 0 data tape of NK/XIP and IMGFS map.

If in arbitrary step of IMGFS renewal process, mistake occurs, as, if binary difference does not have enough flash block to use, then cancel renewal process, and do not attempt recovering, because it may recover, and show suitable message.Notice that operation simulation in advance can be avoided this problem.

As can be seen, the renewal of kernel subregion is differently handled from being updated to system partitioning, although from making up and the packing viewpoint, they are identical.More specifically, when upgrading the kernel subregion, from flash memory, take out some NK.NB0 (the kernel partition mappings of signature) file in RAM, upgrade in due course and be modified to subassembly, then the .NB0 content of revising write back in the flash memory with continuous piece.This allows to skip when needed any bad piece.

According to another aspect of the present invention, as mentioned above, how these mechanism consider the notion of the optimization order of application binary difference file.As is understood, need some interim storer of filling, with to baseline map application binary difference file, and generate the module/document of the renewal of gained thus.When making up, when generating the binary difference file, on the map of gained, move alignment processes, to arrange the order of upgrading the piece in the binary difference file, the feasible maximal value that keeps necessary available interim filling storer to a certain appointment.By on constructing system, carrying out this Optimizing operation, if the present invention has guaranteed the overall growth (or contraction) that equipment has enough storeies and is used for map, and it has necessary interim packing space, and then equipment necessarily has enough storeies and finishes renewal process.Before beginning renewal, in the affirmation process, carry out big minor inspection.

Fig. 9 has generally represented more new ideas of piece.Generally speaking, system file is bigger, and thus, if the new file of whole creation, and, then could consume a large amount of interim storage (greater than available interim storage) to ancient deed overall applicability binary difference.On the contrary, use difference to the existing piece of the file that will upgrade and upgrade, can obtain the piece of new renewal, the piece that upgrades is copied in the document flow of renewal, and when no longer needing, remove and distribute old.

Be to realize that piece upgrades, makes up old and the new dependency graph between the piece, this Figure 90 0 by Fig. 9 generally represents.As is understood, differing from file 902 will be applied in the actual block by the represented data of the node among this figure.In one implementation, piece is four kbytes in size, and 32 pieces of maximum permissions of arbitrary moment, and this means only needs 128 kilobyte to can be used to guarantee that system can be updated.Notice that above-mentioned sample block size and whole restriction are arbitrary values, but need agree by the supplier of the renewal application program of system update and equipment.Can't satisfy under the situation of the restriction of being agreed in specific renewal, make up in the process of upgrading, need disconnect dependence link (not needing non-difference to upgrade) by dealer to such piece at the dealer place.

As shown in Figure 9, single old renewal piece can provide the dependence data (using the difference file to these data) of one or more new renewal pieces, and newly upgrades piece and can be dependent on one or more old renewal pieces.Generally speaking, upgrade, make progress up to having used this each difference file of old by the one or more poor file that application is suitable to old.At this constantly, can disconnect rely on link (as, as by shown in Figure 9, by disconnecting the link between old X and the new piece Y) because old no longer be that new piece is required.Because this is unique link that is associated with old X, therefore can removes and distribute old X to be used for another piece with Free up Memory.Equally, owing to after old has been used poor file, disconnect the dependence link, when new piece does not arrive old dependence link, promptly, when new piece is written into by the difference renewal process fully, this new piece can be copied to flash memory in due course, and removes from RAM and distribute, and is used for another piece with Free up Memory.Note, can remove at synchronization and distribute a plurality of.

As can easily understanding, the order of using the difference renewal can help the release of storer.Generally speaking, this upgrades at first using difference to old that the new piece with maximum dependence links is had minimum dependence link in proper order.A kind of algorithm is carried out secondary search (as, the search of link count device array) to old of lowest count with the new piece of the highest counting.

For piece upgrade being carried out pre-flash memory simulation because whole file may not exist in simulation at any time, therefore based on each piece calculation check that will write and, and the verification that contrasts the verification of each renewal and examine gained with.If the verification that this simulation generates and passing through then can be carried out the actual renewal to flash memory.

Turn to upgrade to keep segmentation, Figure 10 show keep segmentation upgrade (as, outside subregion) use same renewal assembly to finish to be similar to the mode that the NK subregion upgrades.By step 1000 and 1016, handle each by each file in the pack processing (step 1002 and 1014) and keep the associated packet renewal, determine whether this document is bindiff (binary difference) module.If not, then as long as file data is read and is write the zone of reservation from file in step 1010 and 1012.If the binary difference module, then read existing zone (as, read in RAM) in and poor to its application binary write back more new data to the zone that keeps before, as what by step 1006,1008 and 1012, represent.

When using the bag content of the bag of each queuing with suitable order (according to the bag version), and upgrade when finishing, APMB package can randomly remove from user memory, or is marked as and finishes.At this constantly,, upgrade application program and finish its work by forbidding more new model (removing the flash memory updating mark) in case the content of the bag of confirming is installed in the suitable flash partition, and restarting equipment.Former, the initial program loader detects current system model, but this time, because the sign of removing, guides the operating system map of renewal and installation as described above with the flash memory of locking.

According to one aspect of the present invention, provide fault secure/recovery update method.For this reason, the part of map Renewal Design provides as owing to unexpected loss of power the fault secure under the interrupted situation of renewal process being recovered.Realize method that fault secure is recovered comprise by charge to daily record and file system human factor (as, involve in recoverys) make to reenter and make update loader and upgrade application program, and can determine to upgrade to operate and where rest on.What regulate simultaneously is to support to write to file to upgrade and need not to remove fully and submit to old copy up to the transactional file system of having submitted new renewal (this finishes with the son file increment in the system partitioning, as, piece) to storer to.Can carry out be submitted to the whole erection process of storage on this point simulation to guarantee having carried out nearly all relevant code path, and the fault mode that reality is upgraded is reduced to fault in the hardware (as, flash failure) or the possible breakdown in the rudimentary flash software routine.(as, radio) zone of the backup of NK/ kernel and reservation is provided, makes under the situation of upgrading failure, after the retry of some concrete quantity, can recover the backup of original map subregion content, and end to install (that is rollback recovery).

Upgrade the application tracks installation makes progress, regains its part that stops, also backup (also may recover) NK/ kernel and reservation under the situation that accident is interrupted zone.Upgrade the map of application program update RAMIMAGE, ROMIMAGE, IMGFS and reservation.RAMIMAGE and ROMIMAGE subregion generate in the same mode with desktop computer disk image instrument generation subregion, that is, the IMGFS subregion is arranged the module of upgrading and is upgraded by making calling with virtual and physically correct with existing layout work and to IMGFS and divider.Above upgrade and make by overriding whole zone with reference to the described reservation of Figure 10.

In one implementation, when the renewal application program began, the bag that its supposition will be installed was arranged in temporarily and saves contents, and as specified in the renewal application program input file in the user memory, it comprises the input that is used to upgrade application program.Upgrading the path of application program input file specifies in registration table.The renewal application program is not paid close attention to bag and where is stored in, and no matter it is internal data memory or external memory card, as long as provide complete path to be used to save contents.Provide the path of the bitmap file that is used to upgrade simultaneously; Notice that normal operating system code is in operation, and thus, for the user interface purpose provide bitmap (as, progress bar is shown, upgrades which file, error message or the like).

Upgrade application program and be delivered to the bag validator by the path that will save contents and begin, it returns the tabulation of the order of designated mounting bag, as described in the related U.S. patent application of above-mentioned " determining to upgrade collection to effective maximum depended software is installed " by name.Then, update loader processes repeats by each bag, and uses suitable renewal one XIP, IMGFS and/or reservation, and is described with reference to figure 6 as mentioned.

Upgrade application program and can be considered to have some process/assemblies, comprise the NK/XIP renewal process of being responsible for the renewal of NK/XIP subregion.Map in this subregion can be ROMIMAGE or RAMIMAGE (wherein, ROMIMAGE is a map of directly carrying out and need the NOR flash memory from flash memory, and RAMIMAGE is loaded into RAM and can be stored in map in NOR or the nand flash memory).Regardless of the type of map, when read and write, the direct and piece USBDI of area update.

Another process/assembly of map is that IMGFS upgrades, and it is responsible for the renewal to operating system partition, is managed by image file system (IMGFS).Keep the responsible renewal of renewal process to radio or other reserve area.Direct and piece USBDI when reserve area is updated in read and write.

Romimage is the shared assembly (sharing with desktop computer disk image instrument) that initial installation map is provided when manufacturing equipment, and is responsible for virtual and physics (storer) distribution and module correction.The function that Romimage.dll comprises Allocator (divider) class hierarchy and the function that is used to create and manage a plurality of dividers, File (file) the class hierarchy (being used to store the metadata about file or module) that is used to create also management document tabulation and function and supports renewal and building process.The Patchbin assembly provides the application binary difference to upgrade the process that generates new file.Old module data and binary difference offer this assembly as input, and its output is the data that are used for new module.Can provide the UI assembly in renewal process, to show the appropriate users interface data.Notice that content viewable can be provided with in advance based on the operating system area and generate.

The NK/XIP renewal process can be the function that is called by the principal function of upgrading application program, and it adopts the tabulation of NK/XIP bag to use.Need upgrade application program to the renewal of NK/XIP subregion and make complete map (being actually the disk image instrument process on the equipment) again.In the NK/XIP renewal process, maintain old listed files and new listed files.The ancient deed tabulation comes initialization with the front module of working as in the NK/XIP subregion, and this information makes together in conjunction with bag and is used for creating new listed files as net result.New listed files comprises creates the required information (head, segment data, sign or the like) of map, and this tabulation is passed to virtual and the physical allocation device re-executes assigning process.

Above-described Fig. 7 A and 7B output show kernel area and how to be updated.Be the step of overview diagram 7A and 7B, this process whole XIP (or other) zone is read among the RAM and with its backup for the existing module in the compressed file in the user memory, the scanning XIP zone with read head and other metadata and make up update module and the not invulnerable release of file.This process adds the remainder of the module that is not modified and file to the new module tabulation then, carry out virtual/physical allocation and module correction and new XIP map is write back in the flash memory.

Fault secure method in this step is quite to understand, because do not submit to any content to finish up to process to flash memory.Therefore, if before writing new map, power fail occurs, only need re-execute this process.If power fail occurs when making new advances map writing, the backup copies of old map still exists, and can be used for recovering map (if journal file specifies new map to be in the process of being write out, then can use the backup file of compression to recover the copy of old map).Step in the journal file record affairs makes it understand to know that process fails wherein.

Claims (34)

1. in computing equipment, a kind of method is characterized in that, it comprises:

Determine that it still is new model more that described equipment is directed to operating system schema; And

When described equipment is directed into described more new model, the map in the storer of described equipment is carried out at least one upgrade, simultaneously the state of described renewal is charged to daily record, so that recover in arbitrary fault that can from each renewal process, may occur.

2. the method for claim 1 is characterized in that, determine with described equipment be directed to operating system schema still be more new model comprise and check a sign that before restarting, is provided with.

3. the method for claim 1, it is characterized in that described map is divided at least two subregions, and wherein, by being that a subregion of selecting makes up one and replaces map and described replacement map is override on the existing map in the described subregion, upgrade selected subregion.

4. method as claimed in claim 3, it is characterized in that it also comprises: the described existing map in the described subregion is backed up into a backup map, determine to write described replacement map and whether successfully finish, if not, then recover described existing map from described backup map.

5. method as claimed in claim 4 is characterized in that, backs up described existing map and comprises with compressed format and store described backup map.

6. the method for claim 1 is characterized in that, described map is divided at least two subregions, and wherein, upgrades a subregion of selecting by at least two assemblies that upgrade individually in the described map.

7. method as claimed in claim 6 is characterized in that one of described subregion is a system partitioning, and wherein, upgrades at least two assemblies in the described map individually and comprises operating system file is write in the described subregion.

8. the method for claim 1 is characterized in that, carries out described at least one renewal and comprises to existing component application one a binary difference file.

9. method as claimed in claim 8 is characterized in that, comprises a subclass from described binary difference file a to subclass of described existing assembly that use to existing component application binary difference file.

10. method as claimed in claim 9 is characterized in that, described subclass comprises that one has the data block of determining size.

11. method as claimed in claim 9 is characterized in that, at least one renewal of carrying out map over is included in submits to described renewal to simulate a renewal process before, reach and determine described the simulation successfully.

12. the method for claim 1, it is characterized in that, one group of described in upgrading is updated on file in the bag and the file and individually carries out, and described indivedual bag and fileinfo are logged, make after arbitrary fault, visit described journal file and determine which file is described fault appear in which bag and the bag on.

13. in computing environment, a kind of method is characterized in that, it comprises:

One operating system map is split into independent renewable subregion; And

Upgrade at least one subregion isolator with another subregion,

Wherein, when carrying out renewal, simultaneously the state of described renewal is charged to daily record, so that recover in arbitrary fault that can from each renewal process, may occur.

14. method as claimed in claim 13 is characterized in that, upgrades at least one subregion and comprises computing equipment is directed to more new model.

15. method as claimed in claim 13, it is characterized in that, upgrade at least one subregion isolator with another subregion and be included as first subregion and make up one and replace map and described replacement map is override on the existing map in described first subregion, and upgrades described second subregion by at least two assemblies that upgrade the map in second subregion individually.

16. method as claimed in claim 15, it is characterized in that it also comprises backs up into a backup map with the described existing map in described first subregion, determines to write described replacement map and whether completes successfully, if not, then recover described map from described backup map.

17. method as claimed in claim 16 is characterized in that, backs up described existing map and comprises that the form with compression stores described backup map.

18. method as claimed in claim 15, it is characterized in that, upgrade described second subregion and comprise the identity of the assembly of described each renewal is charged in the journal file, make if fault is visited described journal file and determined which assembly is described fault appear on.

19. method as claimed in claim 15 is characterized in that, upgrades described second subregion and comprises to existing component application one a binary difference file.

20. method as claimed in claim 19 is characterized in that, comprises a subclass from described binary difference file a to subclass of described existing assembly that use to existing component application binary difference file.

21. method as claimed in claim 20 is characterized in that, described subclass comprises that one has the data block of determining size.

22. method as claimed in claim 15 is characterized in that, upgrades described second subregion and is included in to submit to described second subregion and simulates renewal process before upgrading, and determine described the simulation successfully.

23. in computing equipment, a kind of system is characterized in that, it comprises:

One guiding mechanism; And

One update loader; described guiding mechanism is directed to described update loader when detecting a renewal co-pending; described update loader comprises the sole entity that in the described device code protected storage of described equipment is had the write access authority; described Guared memory comprises at least two subregions; and described update loader is upgraded each subregion individually

Wherein when carrying out renewal, simultaneously the state of described renewal is charged to daily record, so that recover in arbitrary fault that can from each renewal process, may occur.

24. system as claimed in claim 23, it is characterized in that, it also comprises an affirmation process, wherein, before being directed to described update loader, described affirmation process is confirmed at least one update package, if described at least one update package is effective, then described affirmation process with each effectively the bag queuing upgrade, and a described guiding mechanism be set be used to detect described update mechanism co-pending.

25. system as claimed in claim 24 is characterized in that, described affirmation process is correctly signed and is confirmed described at least one update package by verifying each bag.

26. system as claimed in claim 24 is characterized in that, described affirmation process is correctly constructed and is confirmed described at least one update package by verifying each bag.

27. system as claimed in claim 23 is characterized in that, described guiding mechanism is directed to described more new model based on a value of statistical indicant that was provided with described equipment before restarting.

28. system as claimed in claim 23; it is characterized in that; the Guared memory of described equipment is divided into a plurality of subregions; and wherein; by described renewal assembly by being that a subregion of selecting makes up one and replaces map; and described replacement map is override on the existing map of selected subregion, upgrade selected subregion.

29. system as claimed in claim 28, it is characterized in that, described renewal assembly backs up into a backup map with the described existing map in the selected subregion, if be used for returning to when described replacement map is not successfully written into selected subregion selected subregion.

30. system as claimed in claim 29 is characterized in that, described renewal assembly backs up described existing map with the form of compression.

31. system as claimed in claim 28; it is characterized in that the Guared memory of described equipment is divided into a plurality of subregions, and wherein; by upgrade at least two assemblies in the subregion of selecting individually by described renewal assembly, upgrade selected subregion.

32. system as claimed in claim 31 is characterized in that, described update loader is by upgrading at least one of assembly in the selected subregion to existing component application one a binary difference file.

33. system as claimed in claim 32 is characterized in that, described update loader is used described binary difference file by a subclass from described binary difference file a to subclass of described existing assembly that use.

34. system as claimed in claim 31 is characterized in that, described update loader is at least one renewal of simulation before submitting described renewal to.

Images